Sign up to receive free email alerts when patent applications with chosen keywords are publishedSIGN UP

Abstract:

A terminal device recording content onto a recording medium device, a
permission to record the content onto the recording medium device being
granted by a server device, the terminal device comprising: a generation
unit generating a value calculated so as to represent subject content for
which permission to record is requested; an information transmission unit
requesting the permission from the server device by transmitting
information indicating the value generated by the generation unit to the
server device; a signature reception unit receiving subject content
signature data from the server device, the subject content signature data
being transmitted by the server device upon granting the permission; and
a recording unit recording the subject content onto the recording medium
device as one of plain-text data and encrypted data, as well as the
subject content signature data received by the signature reception unit.

Claims:

1. A terminal device recording content onto a recording medium device, a
permission to record the content onto the recording medium device being
granted by a server device, the terminal device comprising: a generation
unit generating a value calculated so as to represent subject content for
which a permission to record onto the recording medium device is
requested; an information transmission unit requesting the permission
from the server device to record the subject content onto the recording
medium device by transmitting information indicating the value generated
by the generation unit to the server device; a signature reception unit
receiving subject content signature data from the server device, the
subject content signature data being transmitted by the server device
upon granting the permission to record the subject content onto the
recording medium device; and a recording unit recording the subject
content onto the recording medium device as one of plain-text data and
encrypted data, as well as the subject content signature data received by
the signature reception unit.

2. The terminal device of claim 1, wherein the generation unit generates
a hash value for the subject content to serve as the value.

3. The terminal device of claim 2, wherein the generation unit generates
the hash value for each of a plurality of content portions making up the
subject content, and upon receipt of designation information designating
one or more of the content portions, the information transmission unit
further transmits each designated content portion to the server device as
designated by the designation information transmitted by the server
device in order to determine whether or not to grant the permission.

4. The terminal device of claim 1, wherein the data recorded onto the
recording medium device by the recording unit result from encryption of
the subject content using a title key for the subject content.

5. A server device determining whether or not to grant to a terminal
device a permission to record content onto a recording medium device, the
server device comprising: an information reception unit receiving
information from the terminal device, the information indicating a value
calculated so as to represent subject content for which a permission to
record onto the recording medium device is requested; a determination
unit determining whether or not to grant the permission to record the
subject content onto the recording medium device depending on the value
indicated in the information received by the information reception unit;
a signature unit generating subject content signature data when the
determination unit grants the permission to record; and a signature
transmission unit transmitting the subject content signature data
generated by the signature unit to the terminal device.

6. The server device of claim 5, wherein the information received by the
information reception unit indicates hash values each calculated for one
of a plurality of content portions making up the subject content, the
server device further comprises a designation unit generating designation
information and transmitting the designation information to the terminal
device, the designation information designating one or more of the
content portions to be transmitted by the terminal device upon receipt of
the information by the information reception unit, the information
reception unit further receives each designated content portion
transmitted by the terminal device in response to the designation
information transmitted by the designation unit, and the determination
unit determines whether or not matching occurs between: a designated hash
value of the portion designated in the designation information generated
by the designation unit, among the hash values in the information
received by the information reception unit, and a calculated hash value
for the designated content portion received by the information reception
unit, and grants the permission to record the subject content onto the
recording medium device upon matching.

7. The server device of claim 6, wherein the designation unit generates
position information indicating a position within the subject content for
at least one randomly-selected content portion among the content portions
making up the subject content for use as the designation information.

8. The server device of claim 5, further comprising: an authentication
information reception unit receiving authentication information
transmitted to the server device and to the terminal device from an
authentication device upon authenticating the subject content as being
pre-registered, in response to a request from the terminal device; a
title key generation unit generating one of a plain-text title key and an
encrypted title key for the subject content upon receipt of
authentication information transmitted by the terminal device that
matches the authentication information received by the authentication
information reception unit, the key being used by the terminal device
when recording the subject content onto the recording medium device as
encrypted data; and a title key transmission unit transmitting one of the
title key generated by the title key generation unit and a calculated
title key generated by applying a predetermined operation to the title
key to the recording medium device for recording.

9. A content recording control system, comprising: a server device
determining whether or not to grant a permission to record content onto a
recording medium device; and a terminal device recording the content onto
the recording medium device, the permission to record the content onto
the recording medium device being granted by the server device, the
terminal device comprising: a generation unit generating a value
calculated so as to represent subject content for which a permission to
record onto the recording medium device is requested; an information
transmission unit requesting the permission from the server device to
record the subject content onto the recording medium device by
transmitting information indicating the value generated by the generation
unit to the server device; a signature reception unit receiving subject
content signature data from the server device, the subject content
signature data being transmitted by the server device upon granting the
permission to record the subject content onto the recording medium
device; and a recording unit recording the subject content onto the
recording medium device as one of plain-text data and encrypted data, as
well as the subject content signature data received by the signature
reception unit, and the server device comprising: an information
reception unit receiving the information transmitted by the terminal
device; a determination unit determining whether or not to grant the
permission to record the subject content onto the recording medium device
depending on the value indicated in the information received by the
information reception unit; a signature unit generating subject content
signature data when the determination unit grants the permission to
record; and a signature transmission unit transmitting the subject
content signature data generated by the signature unit to the terminal
device.

10. A recording method for use by a terminal device recording content
onto a recording medium device, a permission to record the content onto
the recording medium device being granted by a server device, the
recording method comprising: a generation step of generating a value
calculated so as to represent subject content for which a permission to
record onto the recording medium device is requested; an information
transmission step of requesting the permission from the server device to
record the subject content onto the recording medium device by
transmitting information indicating the value generated in the generation
step to the server device; a signature reception step of receiving
subject content signature data from the server device, the subject
content signature data being transmitted by the server device upon
granting the permission to record the subject content onto the recording
medium device; and a recording step of recording the subject content onto
the recording medium device as one of plain-text data and encrypted data,
as well as the subject content signature data received in the signature
reception step.

11. A recording permission control method for use by a server device
determining whether or not to grant to a terminal device a permission to
record content onto a recording medium device, the recording permission
control method comprising: an information reception step of receiving
information from the terminal device, the information indicating a value
calculated so as to represent subject content for which a permission to
record onto the recording medium device is requested; a determination
step of determining whether or not to grant the permission to record the
subject content onto the recording medium device depending on the value
indicated in the information received in the information reception step;
a signature step of generating subject content signature data when the
permission to record is granted in the determination step; and a
signature transmission step of transmitting the subject content signature
data generated in the signature step to the terminal device.

Description:

CROSS REFERENCE TO RELATED APPLICATION

[0001] This application claims benefit to the provisional U.S. Application
61/496,188, filed on Jun. 13, 2011.

[0003] Advanced Access Content System (hereinafter, AACS) is known as
copyright protection technology used for digital copyrighted works, such
as movies and music. For example, AACS is used to protect content
recorded on a Blu-Ray Disc® (hereinafter, BD).

[0004] An AACS-compliant terminal device playing back the content reads
out the content recorded on a BD-ROM (which is a read-only medium) along
with a media key block (hereinafter, MKB) required to decrypt the
content, then decrypts the content using the MKB in combination with a
device key issued in advance. The terminal device is thus able to play
back the content.

[0005] Incidentally, a need to copy or move (the term "copy" is
hereinafter used to include move operations) content protected by AACS
and acquired by the terminal device to a recording medium device (e.g.,
SD memory) may arise in the course of playing back the content on a
different device.

[0010] However, freely allowing such copying of the content leads to an
inability to maintain copyright protection therefor.

[0011] In consideration of this problem, one non-limiting and exemplary
Embodiment provides a terminal device capable of inhibiting the recording
of non-permitted content, such as illegitimately duplicated content, onto
a recording medium device.

[0012] In one general aspect, the technology here disclosed features a
terminal device recording content onto a recording medium device, a
permission to record the content onto the recording medium device being
granted by a server device, the terminal device comprising: a generation
unit generating a value calculated so as to represent subject content for
which a permission to record onto the recording medium device is
requested; an information transmission unit requesting the permission
from the server device to record the subject content onto the recording
medium device by transmitting information indicating the value generated
by the generation unit to the server device; a signature reception unit
receiving subject content signature data from the server device, the
subject content signature data being transmitted by the server device
upon granting the permission to record the subject content onto the
recording medium device; and a recording unit recording the subject
content onto the recording medium device as one of plain-text data and
encrypted data, as well as the subject content signature data received by
the signature reception unit.

[0013] According to the terminal device pertaining to the above aspect,
only content for which a permission to record has been granted by the
server device is recordable onto the recording medium device, thus
inhibiting the recording of illegitimately duplicated content.

[0014] These general and specific aspects may be implemented using a
system, a method, and a computer program, and any combination of systems,
methods, and computer programs.

[0015] Additional benefits and advantages of the disclosed embodiments
will be apparent from the specification and figures. The benefits and/or
advantages may be individually provided by the various embodiments and
features of the specification and drawings disclosure, and need not all
be provided in order to obtain one or more of the same.

BRIEF DESCRIPTION OF DRAWINGS

[0016] FIG. 1 is a block diagram illustrating the system configuration of
a content distribution system 1000 pertaining to an exemplary Embodiment.

[0017] FIG. 2 is a block diagram illustrating the principal functional
configuration of a content production device 100 pertaining to the
exemplary Embodiment.

[0018] FIG. 3 is a flowchart of a content production process by the
content production device 100 pertaining to the exemplary Embodiment.

[0019] FIG. 4 is a block diagram illustrating the principal functional
configuration of a key issuance device 200 pertaining to the exemplary
Embodiment.

[0028] FIG. 13 illustrates a data configuration example for unsigned data
70 received by the key distribution device 400 and for signed data 76
transmitted by the key distribution device 400 pertaining to the
exemplary Embodiment.

[0029] FIG. 14 is a flowchart indicating a pre-distribution process by the
key distribution device 400 pertaining to the exemplary Embodiment.

[0030] FIG. 15 is a flowchart indicating a distribution process by the key
distribution device 400 pertaining to the exemplary Embodiment.

[0031] FIG. 16 is a block diagram illustrating the principal functional
configuration of a terminal device 500 performing a receiving and writing
process pertaining to the exemplary Embodiment.

[0032] FIG. 17 is a block diagram illustrating the principal functional
configuration of the terminal device 500 performing a playback process
pertaining to the exemplary Embodiment.

[0033] FIG. 18 is a flowchart of the reception and writing process by the
terminal device 500 pertaining to the exemplary Embodiment.

[0034] FIG. 19 is a flowchart of the playback process by the terminal
device 500 pertaining to the exemplary Embodiment.

[0035] FIG. 20 is a block diagram illustrating the principal functional
configuration of a recording medium device 600 pertaining to the
exemplary Embodiment.

[0036] FIG. 21 is a flowchart indicating a writing process by the
recording medium device 600 pertaining to the exemplary Embodiment.

[0037] FIG. 22 is a block diagram illustrating the configuration of a
server device 2400 and a terminal device 2500 in a content recording
control system 2000 pertaining to another exemplary Embodiment of the
invention.

[0038] FIG. 23 is a flowchart of a recording method pertaining to the
other exemplary Embodiment of the invention.

[0039] FIG. 24 is a flowchart of a recording permission control method
pertaining to the other exemplary Embodiment of the invention.

[0040] FIG. 25 is a flowchart indicating a distribution process by a key
distribution device pertaining to a variant Embodiment.

[0041] FIG. 26 is a flowchart of the reception and writing process by a
terminal device pertaining to the variant Embodiment.

[0042] FIG. 27 is a flowchart of the playback process by the terminal
device pertaining to the variant Embodiment.

[0043] FIG. 28 is a flowchart indicating a writing process by a recording
medium device pertaining to the variant Embodiment.

DETAILED DESCRIPTION

[0044] The following describes a content distribution system 1000,
including a key distribution device and a terminal device, as an
exemplary Embodiment of a content recording management system, made up of
a server device and a terminal device, pertaining to the present
disclosure.

Exemplary Embodiment

[0045] (Outline)

[0046] In order to, for example, play back content protected by AACS and
acquired by the terminal device on a device other than the terminal
device, the content may be copied onto a recording medium device (e.g.,
SD memory) using non-AACS copyright protection technology.

[0047] Plausible methods for accomplishing such copying onto the recording
medium device include, for example, having the terminal device decrypt
the AACS-protected content (i.e., encrypted content) to acquire
plain-text content, encrypt the plain-text content using a method
conforming to the non-AACS copyright protection technology, and then
write the result to the recording medium device.

[0048] However, this method involves granting the terminal device
processing privileges pertaining to content protection. In the event that
the terminal device is hacked, there is a risk that content may be
recorded onto the recording medium device without protection and thus be
illicitly duplicated.

[0049] In consideration of this issue, the present disclosure has the key
distribution device determine whether or not to grant the terminal device
a permission to record the content onto the recording medium device, and
generates signed data only when the permission is granted. The terminal
device then records the signed data so generated with the content on the
recording medium device. Also, a legitimate playback device is unable to
play back the content unless the signed data are also recorded. Thus, the
legitimate playback device is unable to play back content recorded alone
onto the recording medium device by a hacked terminal device.

[0050] Accordingly, the recording of illicitly duplicated content and
similar disallowed content onto the recording medium device in playable
form is inhibited.

[0051] (System Configuration)

[0052] FIG. 1 is a block diagram illustrating the system configuration of
a content distribution system 1000 pertaining to the exemplary
Embodiment.

[0053] The content distribution system 1000 is made up of a content
production device 100, a key issuance device 200, a content distribution
authentication device 300, a key distribution device 400, a terminal
device 500, and a recording medium device 600.

[0054] The terminal device 500 is, for example, a DVD or BD player capable
of playing back a recording medium, such as a DVD, BD, or similar optical
disc, is able to connect to a network, and is installed in a user's home
or the like for content viewing purposes. The recording medium device 600
is an SD card or similar memory card usable by insertion into a card slot
on the terminal device 500. The content distribution authentication
device 300 corresponds to the AACS managed copy authentication server
used in AACS.

[0055] The content production device 100 and the content distribution
authentication device 300 are connected via a network, as are the key
issuance device 200 and the key distribution device 400, and the content
distribution authentication device 300, the key distribution device 400,
and the terminal device 500.

[0056] (Configuration of Content Production Device 100)

[0057] FIG. 2 is a block diagram illustrating the functional configuration
of the principal components of the content production device 100.

[0059] The content production device 100 includes a processor, memory, and
a network interface card (hereinafter, NIC). The functions of the editing
unit 121, the title key generation unit 131, the encryption unit 141, the
content ID generation unit 151, and the signature unit 152 are each
realized by having the processor execute a program stored in the memory.
Data transmission by the content ID and UR registration unit 180 is
performed using the NIC.

[0060] The content production device private key and certificate storage
unit 111 is a memory area for storing a content production device private
key and a paired content production device certificate. The details of
the writing process for the content production device private key and
certificate are omitted.

[0061] The material storage unit 120 is a memory area for storing
audiovisual materials for a movie or similar. The production method for
the audiovisual materials themselves is omitted.

[0062] The editing unit 121 edits the materials stored in the material
storage unit 120, then outputs the edited materials to the encryption
unit 141.

[0063] The title key storage unit 130 is a memory area for storing a title
key.

[0064] The title key generation unit 131 generates the title key for
storage in the title key storage unit 130. The title key is, for example,
a 128-bit random number.

[0065] The content storage unit 140 is a memory area for storing encrypted
content. Unless otherwise specified, encrypted content is hereinafter
referred to as content, while unencrypted content is referred to as
plain-text content.

[0066] The encryption unit 141 encrypts the materials output from the
editing unit 121 using the title key stored in the title key storage unit
130 to generate content for storage in the content storage unit 140.

[0067] The content ID storage unit 150 is a memory area for storing a
content ID having a signature.

[0068] The content ID generation unit 151 generates the content ID for
identifying the content according to the content stored in the content
storage unit 140, and then outputs the content ID to the signature unit
152. The content ID may be any information identifying the content, and
may be generated as follows, for example. In effect, the content is
divided into a plurality of portions, a hash value is calculated for each
portion, and a hash table is generated from the hash values so
calculated. Furthermore, a hash value is calculated for the hash table,
and this hash value is usable as the content ID. In the BD example, the
CCID, which is a portion of the Content Cert specified in AACS, may be
used as the content ID.

[0069] The signature unit 152 signs the content ID output by the content
ID generation unit 151 using the content production device private key
stored in the content production device private key and certificate
storage unit 111 and stores the result in the content ID storage unit
150.

[0070] The content distribution unit 160 distributes the content stored in
the content storage unit 140 and the hash table and so on generated
during the generation process by the content ID generation unit 151 to
the terminal device 500. No particular limitation is intended regarding
the method of distribution to the terminal device 500. However, in the
exemplary Embodiment, the content distribution unit 160 records the
content and so on onto a recording medium such as a DVD, BD, or similar
optical disc. Then, the recording medium on which the content is recorded
is sold through a physical market and thus distributed to the terminal
device 500 installed in the user's home. The aforementioned hash table is
used for content verification by the terminal device 500 playing back the
content recorded and distributed on the optical disc or the like. In the
AACS example, at playback time, the terminal device calculates hash
values for seven randomly-selected points within each of the pieces of
content. The playback device then compares the hash value so calculated
to hash values for the corresponding portions listed in the distributed
hash table, such that playback is permitted when all seven portions
match.

[0071] The UR storage unit 170 is a memory area for storing Usage Rules
(hereinafter, UR), which are conditions for content playback and copying.

[0072] The UR input unit 171 includes a keyboard or similar input device,
receives UR input from the operator or the like of the content production
device 100, and stores the UR in a predetermined format in the UR storage
unit 170.

[0073] The content ID and UR registration unit 180 registers the content
ID stored in the content ID storage unit 150 and the UR stored in the UR
storage unit 170 through transmission via the network to the content
distribution authentication device 300.

[0074] (Production Process for Content Production Device 100)

[0075] FIG. 3 is a flowchart indicating the content production process by
the content production device 100.

[0076] The order of operations given below as steps S110 through S190 is
an example of the content production processing. For example, provided
that step S110 is completed before S160 begins, steps S120 and S130 are
completed before step S140 begins, and steps S160 and S180 are completed
before step S190 begins, the ordering of the steps is not limited to that
given below.

[0077] As indicated, the content production device private key and paired
certificate are stored in the content production device private key and
certificate storage unit 111 (step S110).

[0078] The editing unit 121 edits the materials stored in the material
storage unit 120 (step S120). The title key generation unit 131 generates
a title key for storage in the title key storage unit 130 (step S130).

[0079] The encryption unit 141 encrypts the materials edited by the
editing unit 121 with the title key stored in the title key storage unit
130 to generate content for storage in the content storage unit 140 (step
S140).

[0081] The content distribution unit 160 distributes the content stored in
the content storage unit 140 and the hash values and so on generated
during the generation process by the content ID generation unit 151 to
the terminal device 500 (step S170).

[0082] The UR input unit 171 receives the UR input from the operator or
similar of the content production device 100 for storage in the UR
storage unit 170 (step S180). Also, the content ID and UR registration
unit 180 registers and transmits the content ID stored in the content ID
storage unit 150 paired with the UR stored in the UR storage unit 170
through transmission to the content distribution authentication device
300 (step S190). The content production device 100 then concludes the
content production process.

[0087] The root key pair storage unit 210 is a memory area for storing a
pair of keys made up of the root public key and the root private key for
the key issuance device 200. The root private key serves as the
foundation of security in the content distribution system 1000 pertaining
to the exemplary Embodiment.

[0088] The root key pair generation unit 211 generates the pair of keys,
made up of the root public key and the root private key for the key
issuance device 200, for storage in the root key pair storage unit 210.

[0098] The terminal device private key and certificate storage unit 230 is
a memory area for storing a terminal device private key and paired
certificate 20.

[0099] The terminal device key pair generation unit 231 generates the pair
of keys, made up of the terminal device public key and private key, for
the terminal device 500, outputs the terminal device public key so
generated to the certificate generation unit 232, and stores the terminal
device private key so generated in the terminal device private key and
certificate storage unit 230.

[0102] FIG. 5B is a diagram illustrating a data configuration example and
sample content of the terminal device certificate 20.

[0103] As shown, the terminal device certificate 20 is made up of a
terminal device ID 21, the terminal device public key 22, ancillary data
23, and a signature 24.

[0104] The terminal device ID 21 is the ID of the terminal device 500, the
terminal device public key 22 is the terminal device public key generated
by the terminal device key pair generation unit 231, and the ancillary
data 23 are, for example, data indicating the issuance or expiration date
of the terminal device certificate 20. Also, the signature 24 is the
signature generated by the certificate generation unit 232 for the
terminal device ID 21, the terminal device public key 22, and the
ancillary data 23.

[0116] The order of operations given below as steps S210 through S250 is
an example of the key issuance processing. For example, any of steps
S220, S240, and S250 may begin provided that step S210 has been
completed. Also, steps S220, S240, and S250 may be completed in any
order, provided that step S210 is completed beforehand. No limitation is
intended regarding the order of steps S220, S240, and S250. That is,
steps S220 and S250 may occur after step S240 in the stated order or the
opposite, and steps S220 and S240 may likewise occur after step S250 in
the stated order or the opposite.

[0117] The root key pair generation unit 211 of the key issuance device
200 generates the pair of keys made up of the root public key and the
root private key for storage in the root key pair storage unit 210. The
root public key transmission unit 212 transmits the root public key so
generated to the key distribution device 400, the terminal device 500,
and the recording medium device 600 (step S210).

[0124] The content distribution authentication device 300 includes a
processor, memory, and a NIC. The function of the authentication
determination and authentication ID generation unit 340 is realized by
having the processor execute a program stored in the memory. Data
transfer by the content ID and UR reception unit 320, the writeout
authentication request reception unit 330, the authentication result and
authentication ID notification unit 350, and the authentication ID and UR
registration unit 360 is performed using the NIC.

[0125] The content ID and UR storage unit 310 is a memory area for storing
the content ID and paired UR.

[0126] The content ID and UR reception unit 320 receives the content ID
and UR from the content production device 100 via the network for storage
in the content ID and UR storage unit 310.

[0129] As shown, the writeout authentication request data 40 includes the
content ID 41, a coupon code 42, and supplementary information 43. In
particular, the content ID 41 is an identifier for content that the
terminal device 500 is attempting to record to the recording medium
device 600. In FIG. 8, a sample content ID of 0008 is given.

[0130] The authentication determination and authentication ID generation
unit 340 determines whether or not any content ID matching the content ID
41 in the writeout authentication request data 40 output by the writeout
authentication request reception unit 330 is stored in the content ID and
UR storage unit 310, and generates determination results accordingly.
Specifically, in the affirmative case, the authentication determination
and authentication ID generation unit 340 generates an authentication ID
and an authentication result indicating success and, in the negative
case, generates an authentication result indicating failure. In either
case, the data so generated are output to the authentication result and
authentication ID notification unit 350. The authentication determination
and authentication ID generation unit 340 also outputs the authentication
ID so generated to the authentication ID and UR registration unit 360.

[0131] The authentication result and authentication ID notification unit
350 transmits the authentication result output by the authentication
determination and authentication ID generation unit 340 via the network
to the terminal device 500. In particular, upon being output from the
authentication determination and authentication ID generation unit 340,
the authentication ID is also transmitted to the terminal device 500 via
the network.

[0135] The order of operations given below as steps S310 through S350 is
an example of the authentication processing. For example, provided that
step S310 is completed before S320 begins, the order of operations is not
limited to that of the steps given below.

[0136] The content ID and UR reception unit 320 of the content
distribution authentication device 300 receives the content ID and the UR
from the content production device 100 for storage in the content ID and
UR storage unit 310 (step S310).

[0143] The key distribution device 400 includes a processor, memory, and a
NIC. The functions of the mutual authentication unit 440, the recording
medium device ID acquisition unit 441, the determination unit 442, the
title key generation unit 450, the MAC calculation unit 451, the title
key calculation unit 453, the encryption and decryption unit 455, the
position designation unit 460, the verification unit 462, and the
signature unit 470 are each realized by having the processor execute a
program stored in the memory. Also, data transfer by the root public key
reception unit 411, the key distribution device private key and
certificate reception unit 416, the authentication ID and UR reception
unit 421, the writeout request reception unit 430, the mutual
authentication unit 440, the MAC and UR transmission unit 452, the title
key transmission unit 454, the encryption and decryption unit 455, the
position designation unit 460, the unsigned data and content reception
unit 461, and the signed data transmission unit 471 is performed using
the NIC.

[0144] The root public key storage unit 410 is a memory area for storing
the root public key.

[0145] The root public key reception unit 411 receives the root public key
transmitted by the key issuance device 200 via the network for storage in
the root public key storage unit 410.

[0151] FIG. 11 is a diagram illustrating a data configuration example and
sample content for the writeout request data 50.

[0152] As shown, the writeout request data 50 are made up of the
authentication ID 51 and a recording medium device ID 52.

[0153] The authentication ID 51 is the authentication ID received by the
terminal device 500 from the content distribution authentication device
300. Also, the recording medium device ID 52 is the ID of the recording
medium device 600 onto which the terminal device 500 is attempting to
record the content.

[0154] The mutual authentication unit 440 performs mutual authentication
with the terminal device 500 and with the recording medium device 600,
sharing a common key therewith.

[0155] FIG. 12 is a block diagram illustrating a sample order of
operations for mutual authentication as performed between host/server
authenticators A and B.

[0156] In this example, host/server authenticator A is the key
distribution device 400 while host/server authenticator B is the terminal
device 500 or the recording medium device 600.

[0157] The mutual authentication unit of host/server authenticator A
includes a random number generator A10, a decryptor A20, a random number
comparator A30, and an encryptor A40. Similarly, the mutual
authentication unit of host-server authenticator B includes an encryptor
B10, a random number generator B20, a decrypter B30, and a random number
comparator B40.

(a) The random number generator A10 in host/server authenticator A
generates random number R1 for transmission to host/server authenticator
B. (b) The encryptor B10 in host/server authenticator B encrypts the
random number R1 received from host/server authenticator A using a
specific key Ksc (E (Ksc, R1)), and transmits the encrypted random number
R1 (E (Ksc, R1)) to host/server authenticator A. (c) The decryptor A20 in
host/server authenticator A decrypts the data E (Ksc, R1) received from
host/server authenticator B using the specific key Ksc (D (Ksc, (E (Ksc,
R1)))) (=R1). This example represents successful authentication. (d) The
random number comparator A30 in host/server authenticator A compares the
results of decryption D (Ksc, (E (Ksc, R1))) from step (c) to the random
number R1 generated in step (a). When matching occurs, host/server
authenticator A receives an authentication result to the effect that
host/server authenticator B is a legitimate module.

[0159] (Authentication of Host/Server Authenticator A by Host/Server
Authenticator B)

(e) The random number generator B20 in host/server authenticator B
generates random number R2 for transmission to host/server authenticator
A. (f) The encryptor A40 in host/server authenticator A receives the
random number R2 from host/server authenticator B, performs encryption
using the specific key Ksc (E (Ksc, R2)), and transmits the encrypted
random number R2 (E (Ksc, R2)) to host/server authenticator B (g) The
decryptor B30 in host/server authenticator B decrypts the data E (Ksc,
R2) received from host/server authenticator A using the specific key Ksc
(D (Ksc, (E (Ksc, R2)))) (=R2). This example represents successful
authentication. (h) The random number comparator B40 in host/server
authenticator B compares the results of decryption D (Ksc, (E (Ksc, R2)))
from step (g) to the random number R2 generated in step (e). When
matching occurs, host/server authenticator B receives an authentication
result to the effect that host/server authenticator A is a legitimate
module.

[0160] Upon receiving, in steps (d) and (h), notification to the effect
that the other module is legitimate, host/server authenticators A and B
obtain a common key by applying a one-way function to R1∥R2
using Ksc, where ∥ signifies data concatenation.

[0161] Although not detailed above, the mutual authentication performed
between the key distribution device 400 and the terminal device 500 or
between the key distribution device 400 and the recording medium device
600 may result in not only a common key but also a certificate being
exchanged. The details of the certificate obtaining process are described
in Non-Patent Literature 2, section 4.3 "Drive Authentication Algorithm
for AACS (AACS-Auth)" (with particular reference to steps 7 and 13). The
mutual authentication process is given as an example. Other approaches to
mutual authentication may also be employed.

[0162] The remaining components of the key distribution device 400 are
described with continued reference to FIG. 10.

[0163] The recording medium device ID acquisition unit 441 acquires the
recording medium device ID 31 written in the recording medium device
certificate 30 received during the mutual authentication performed by the
mutual authentication unit 440 with the recording medium device 600, and
outputs the certificate 30 to the determination unit 442 and the MAC
calculation unit 451.

[0164] The determination unit 442 determines whether or not to grant the
writeout request from the terminal device 500. Specifically, the
determination unit 442 determines whether or not any authentication ID
matching the authentication ID included in the writeout request data 50
output by the writeout request reception unit 430 is stored in the
authentication ID and UR storage unit 420. Also, the determination unit
442 determines whether or not the recording medium device ID included in
the writeout request data 50 output by the writeout request reception
unit 430 matches the recording medium device ID output by the recording
medium device ID acquisition unit 441. When the authentication ID is
stored and the recording medium device IDs match, the determination unit
442 outputs determination results indicating that the writeout request is
granted to the title key generation unit 450. Conversely, when the
authentication ID is not stored or the recording medium device IDs do not
match, the determination unit 442 outputs determination results
indicating that the writeout request is not granted to the title key
generation unit 450.

[0165] When the determination results output by the determination unit 442
indicate that the writeout request is granted, the title key generation
unit 450 generates the title key for output to the MAC calculation unit
451, the title key calculation unit 453, and the verification unit 462.
However, when the determination results output by the determination unit
442 indicate that the writeout request is not granted, the title key
generation unit 450 outputs the determination results to the MAC and UR
transmission unit 452 through the MAC calculation unit 451.

[0166] The MAC calculation unit 451 uses the title key output by the title
key generation unit 450 to calculate a message authentication code
(hereinafter, MAC) for the recording medium device ID output by the
recording medium device ID acquisition unit 441, and outputs the MAC
value so calculated to the MAC and UR transmission unit 452.

[0167] The MAC and UR transmission unit 452 transmits the MAC value for
the recording medium device ID output by the MAC calculation unit 451 and
the UR stored in the authentication ID and UR storage unit 420 via the
network to the terminal device 500. Upon receiving the notification of
determination results from the title key generation unit 450 via the MAC
calculation unit 451 indicating that the writeout request is not granted,
the MAC and UR transmission unit 452 outputs the determination results to
the terminal device 500.

[0168] The title key calculation unit 453 calculates a hash value for the
UR stored in the authentication ID and UR storage unit 420 and generates
a calculated title key by applying a simple set of reversible operations,
such as XOR, to the calculated hash value and the title key output by the
title key generation unit 450. The title key calculation unit 453 outputs
the calculated title key so generated to the title key transmission unit
454.

[0169] The title key transmission unit 454 transmits the calculated title
key output by the title key calculation unit 453 via the encryption and
decryption unit 455 to the recording medium device 600 via the network.
The recording medium device 600 is used by insertion in a card slot on
the terminal device 500. As described below, the transmission of the
calculated title key to the recording medium device 600 is actually
performed through the terminal device 500. However, in such
transmissions, the terminal device 500 serves only as the communication
channel between the key distribution device 400 and the recording medium
device 600, and is fundamentally unconcerned with the content of the
communicated data. That is, although communications are performed through
the terminal device 500, these are considered equivalent to direct
communication between the key distribution device 400 and the recording
medium device 600.

[0170] The encryption and decryption unit 455 uses the common key
generated during the mutual authentication process by the mutual
authentication unit 440 to encrypt the calculated title key generated by
the title key calculation unit 453 for transmission to the recording
medium device 600. The calculated title key is thus securely transmitted
to the recording medium device 600.

[0171] As described below, the position designation unit 460 generates
position designation information designating a portion of content
(hereinafter, content portion) to be subject to hash value comparison by
the verification unit 462, in terms of position and size within the
content that the terminal device is attempting to write to the recording
medium device 600, and transmits the position designation information so
generated via the network to the terminal device 500. The position
designation unit 460 also outputs the position designation information so
generated to the verification unit 462. The position designation unit 460
may select the position within the content randomly, or in accordance
with some rule.

[0172] The unsigned data and content reception unit 461 receives the
unsigned data 70 from the terminal device 500 via the network, outputs
the unsigned data 70 so received to the verification unit 462, and
notifies the position designation unit 460 of unsigned data 70 reception.
The unsigned data and content reception unit 461 also receives, from the
terminal device 500, the content portion designated in the position
designation information output by the position designation unit 460, and
outputs the content portion to the verification unit 462.

[0175] Each piece of hash data (reference signs 71 through 73) is a hash
value for the corresponding encrypted content portion, as divided.
Although the pieces of hash data are here described as hash values
calculated for the encrypted content, the hash values may also be
calculated for unencrypted portions of plain-text content.

[0176] The reserved signature portion 75 is a reserved area for storing a
signature 78 in later-described signed data 76. The supplementary
information 74 is, for example, information specifying or pertaining to
the content, used for content associations.

[0177] The verification unit 462 verifies the legitimacy of the unsigned
data 70 output by the unsigned data and content reception unit 461.
Specifically, the verification unit 462 encrypts the content portion
output by the unsigned data and content reception unit 461 using the
title key output by the title key generation unit 450, and calculates a
hash value therefor. The verification unit 462 then determines whether or
not the hash value so calculated matches the hash value corresponding to
the above-described content portion as written in the unsigned data 70,
and outputs determination results to the signature unit 470 indicating
that the unsigned data 70 are legitimate when matching occurs, and
indicating that the unsigned data 70 are illegitimate when no matching
occurs. The verification unit 462 specifies the hash value corresponding
to the content portion among the hash values written in the unsigned data
70 according to the position designation information received from the
position designation unit 460.

[0178] Upon receiving determination results from the verification unit 462
indicating that the unsigned data 70 are legitimate, the signature unit
470 uses the key distribution device private key stored in the key
distribution device private key and certificate storage unit 415 to sign
the unsigned data 70, thus generating signed data 76. The signature unit
470 outputs the signed data 76 so generated to the signed data
transmission unit 471. Upon receiving determination results from the
verification unit 462 indicating that the unsigned data 70 are
illegitimate, the signature unit 470 outputs the determination results to
the signed data transmission unit 471.

[0179] FIG. 13B indicates a sample data configuration for the signed data
76.

[0180] As shown, the signed data 76 are made up of hash data 1 71, 2 72, .
. . N 73, supplementary information 77, and a signature 78.

[0181] The hash data (reference signs 71 through 73) are identical to
those included in the unsigned data 70. The signature 78 is generated by
using the key distribution device private key on the hash data (reference
signs 71 through 73) and the supplementary information 77. The
supplementary information 77 may include the original data used to
calculate the hash data, information indicating the position and size
within the content indicating such original data, or similar. The
supplementary information 77 is not limited to the content portion but
may also include information designating something other than a content
portion, or designate information unrelated to content portions.

[0182] The signed data transmission unit 471 transmits the signed data 76
output by the signature unit 470 to the terminal device 500 via the
network. Upon receiving determination results from the signature unit 470
indicating that the unsigned data 70 are illegitimate, the signed data
transmission unit 471 outputs the determination results to the terminal
device 500.

[0183] (Process by Key Distribution Device 400)

[0184] The pre-distribution process by the key distribution device 400 is
described first.

[0185] FIG. 14 is a flowchart indicating the pre-distribution process by
the key distribution device 400.

[0186] The order of operations for the pre-distribution process made up of
steps S410 and S420 is given as an example, below. No limitation is
intended regarding the order of the steps. That is, step S420 may be
executed before step S410.

[0189] The distribution process by the key distribution device 400 is
described next.

[0190] FIG. 15 is a flowchart indicating the distribution process by the
key distribution device 400.

[0191] The writeout request reception unit 430 of the key distribution
device 400 receives the writeout request data 50 from the terminal device
500 (step S440). The determination unit 442 determines whether or not to
grant the writeout request from the terminal device 500 according to the
writeout request data 50 so received (step S445). Specifically, the
determination unit 442 verifies whether or not a match for the
authentication ID 51 in the writeout request data 50 received by the
writeout request reception unit 430 is stored in the authentication ID
and UR storage unit 420, and whether or not the recording medium device
ID 52 in the writeout request data 50 matches the recording medium device
ID acquired by the recording medium device ID acquisition unit 441.

[0192] When the authentication ID is not stored or the recording medium
device IDs do not match (NO in step S445), the determination unit 442
outputs determination results indicating that the writeout request from
the terminal device 500 is not granted to the terminal device 500 via the
title key generation unit 450, the MAC calculation unit 451, and the MAC
and UR transmission unit 452 (step S490). The key distribution device 400
then concludes the distribution process.

[0193] Conversely, when the authentication ID is stored and the recording
medium device IDs match (YES in step S445), the mutual authentication
unit 440 performs mutual authentication with the recording medium device
600 confirming whether or not the recording medium device 600 is
trustworthy and simultaneously generating a common key. The subsequent
transfers use the common key to protect data by encryption and decryption
(step S450).

[0194] The title key generation unit 450 generates the title key. The MAC
calculation unit 451 uses the title key generated by the title key
generation unit 450 to calculate a MAC value for the recording medium
device ID acquired by the recording medium device ID acquisition unit
441. Also, the MAC and UR transmission unit 452 transmits the MAC value
for the recording medium device ID as calculated by the MAC calculation
unit 451 and the UR stored in the authentication ID and UR storage unit
420 to the terminal device 500 (step S455).

[0195] The title key calculation unit 453 calculates a hash value for the
UR stored in the authentication ID and UR storage unit 420 and generates
a calculated title key by applying a simple set of reversible operations,
such as XOR, to the generated hash value and the title key output by the
title key generation unit 450. The title key transmission unit 454
transmits the calculated title key generated by the title key calculation
unit 453 through the encryption and decryption unit 455 to the recording
medium device 600 (step S460).

[0196] The unsigned data and content reception unit 461 receives the
unsigned data 70 from the terminal device 500 (step S465). The position
designation unit 460 generates position designation information for the
content portion subject to determination in the later-described step
S470, and transmits this information along to the terminal device 500
(step S467).

[0197] The unsigned data and content reception unit 461 receives, from the
terminal device 500, the content portion designated by the position
designation information transmitted by the position designation unit 460
(step S469). The verification unit 462 verifies the legitimacy of the
unsigned data 70 received by the unsigned data and content reception unit
461 (step S470). Specifically, the verification unit 462 encrypts the
content portion received by the unsigned data and content reception unit
461 using the title key generated in step S455 by the title key
generation unit 450 and generates a hash value therefor. The verification
unit 462 determines whether or not the hash value so calculated matches
the hash value corresponding to the content portion written in the
unsigned data 70.

[0198] In the negative case (NO in step S470), the verification unit 462
outputs, via the signature unit 470 and the signed data transmission unit
471, verification results to the terminal device 500 indicating that the
unsigned data 70 are illegitimate (step S490). The key distribution
device 400 then concludes the distribution process.

[0201] FIG. 16 is a block diagram illustrating the functional
configuration of the principal components of the terminal device 500 for
a reception and writing process, while FIG. 17 is a block diagram
illustrating the functional configuration of the principal components of
the terminal device 500 for a playback process.

[0202] With reference to FIG. 16, the following describes the
configuration of the terminal device 500, in concert with the content
distribution authentication device 300 and the key distribution device
400, pertaining to reception of data, such as keys and content, required
for content protection and playback, and to writing to the recording
medium device 600. Similarly, with reference to FIG. 17, the following
describes the configuration of the terminal device 500 pertaining to
reading content and data, such as keys, from the recording medium device
600 for playback, provided that the aforementioned writing of content and
data to the recording medium device 600 has been completed. Components
repeated in the reception and writing process and in the playback process
use the same names and reference signs in both FIGS. 16 and 17.

[0204] The terminal device 500 includes a processor, memory, and a NIC.
The functions of the writeout authentication request transmission unit
522, the mutual authentication unit 530, the recording medium device ID
acquisition unit 531, the writeout request transmission unit 532, the
encryption and decryption unit 533, the title key acquisition unit 540,
the title key recalculation unit 546, the encryption unit 550, the hash
calculation and unsigned data generation unit 560, the first playback
determination unit 582, the second playback determination unit 587, the
content decryption unit 590, and the content playback unit 591 are each
realized by having the processor execute a program stored in the memory.
Also, data transfer by the writeout authentication request transmission
unit 522, the authentication result and authentication ID reception unit
523, the mutual authentication unit 530, the writeout request
transmission unit 532, the MAC, UR, and signed data reception unit 541,
the unsigned data and content transmission unit 561, and the
transportation unit 570 is performed using the NIC.

[0205] The terminal device private key and certificate storage unit 510 is
a memory area for storing a terminal device private key and paired
certificate 20. In practice, the writing of the terminal device private
key and certificate 20 to the terminal device private key and certificate
storage unit 510 is realized by a terminal manufacturing apparatus
writing the private key and certificate generated by the key issuance
device 200 during manufacture of the terminal device 500. The details of
the writing process for the terminal device private key and certificate
20 are omitted.

[0206] The root public key storage unit 511 is a memory area for storing
the root public key. In practice, the writing of the root public key to
the root public key storage unit 511 is realized during manufacture of
the terminal device 500 by the terminal manufacturing apparatus writing
the root public key generated by the key issuance device 200. The details
of the writing process for the root public key are omitted.

[0207] The content acquisition unit 520 acquires the content distributed
by the content production device 100. The content acquisition unit 520
outputs the content so acquired to the content ID acquisition unit 521
and outputs plain-text content, obtained by decrypting the acquired
content, to the encryption unit 550 and to the unsigned data and content
transmission unit 561. As described above, in the exemplary Embodiment,
content distribution by the content production device 100 is realized by,
for example, inserting a recording medium such as a DVD or BD on which
content is recorded into the disc drive of the terminal device 500.

[0208] The content ID acquisition unit 521 acquires the content ID of the
content output by the content acquisition unit 520 and outputs the ID to
the writeout authentication request transmission unit 522. The content ID
acquisition unit 521 acquires the content ID by generating the content ID
as described above for the content ID generation unit 151 of the content
production device 100.

[0210] The authentication result and authentication ID reception unit 523
receives, from the content distribution authentication device 300, the
authentication result based on the writeout authentication request data
40 transmitted by the writeout authentication request transmission unit
522. Specifically, the authentication result and authentication ID
reception unit 523 further receives the authentication ID when the
authentication result indicates success, then outputs the authentication
ID so received to the writeout request transmission unit 532. In AACS,
for example, a common mechanism may be used for transmitting the writeout
authentication request data and receiving the authentication result
(i.e., managed copy).

[0211] The mutual authentication unit 530 performs mutual authentication
with the key distribution device 400 and with the recording medium device
600, sharing a common key and exchanging certificates (the key
distribution device certificate 10, the terminal device certificate 20,
and the recording medium device certificate 30) therewith. The operations
involved in the mutual authentication are as described above (see FIG.
12).

[0214] The encryption and decryption unit 533 uses the common key
generated during the mutual authentication process by the mutual
authentication unit 530 to encrypt the data at transmission time and
decrypt the data at reception time, and thus securely exchanges data with
the recording medium device 600. Specifically, the encryption and
decryption unit 533 receives the calculated title key, as encrypted using
the common key, from the recording medium device 600 and uses the common
key to decrypt, and thus safely receive, the calculated title key.

[0215] The title key acquisition unit 540 acquires the calculated title
key from the recording medium device 600 through the encryption and
decryption unit 533 for output to the title key recalculation unit 546.

[0216] The MAC, UR, and signed data reception unit 541 receives the MAC
value for the recording medium device ID of the recording medium device
600, the UR for the content corresponding to the authentication ID 51
included in the writeout request data 50 transmitted by the writeout
request transmission unit 532, and the signed data from the key
distribution device 400, and outputs these to the MAC, UR, and signed
data recording unit 542. The MAC, UR, and signed data reception unit 541
also outputs the UR so received to the title key recalculation unit 546.
The MAC, UR, and signed data reception unit 541 also receives
determination results indicating that the writeout request is not granted
when such determination results have been transmitted from the key
distribution device 400.

[0217] The MAC, UR, and signed data recording unit 542 records the MAC
value, UR, and signed data output by the MAC, UR, and signed data
reception unit 541 to the recording medium device 600.

[0218] The title key storage unit 545 is a memory area for storing a title
key.

[0219] The title key recalculation unit 546 calculates a hash value for
the UR, acquires the original title key by applying the simple set of
reversible operations, such as XOR, to the calculated hash value and to
the calculated title key output by the title key acquisition unit 540,
and stores the original title key in the title key storage unit 545. In
practice, the UR used for the hash value calculation in the reception and
writing process is output by the MAC, UR, and signed data reception unit
541, while in the playback process, the UR so used is output from the UR
reading unit 581.

[0220] The encryption unit 550 encrypts plain-text content output by the
content acquisition unit 520 using the title key stored in the title key
storage unit 545, then outputs the resulting content to the content
recording unit 551 and the hash calculation and unsigned data generation
unit 560.

[0222] The hash calculation and unsigned data generation unit 560 divides
the content output by the encryption unit 550 into a plurality of
portions and calculates a hash value for each portion, generates unsigned
data 70 (see FIG. 13A) with the hash values so calculated as hash data
(reference signs 71 through 73), and outputs the result to the unsigned
data and content transmission unit 561. The unsigned data 70 generated by
the hash calculation and unsigned data generation unit 560 also include
supplementary information 74, as appropriate.

[0223] The unsigned data and content transmission unit 561 transmits the
unsigned data 70 output by the hash calculation and unsigned data
generation unit 560 to the key distribution device 400. The unsigned data
and content transmission unit 561 also receives position designation
information from the key distribution device 400, extracts a content
portion designated by the position designation information so received
from the plain-text content output by the content acquisition unit 520,
and outputs the content portion to the key distribution device 400.

[0224] The transportation unit 570 relays communications data between the
key distribution device 400 and the recording medium device 600. With the
exception of data pertaining to control, such as stop notifications, the
transportation unit 570 serves as a relay between the key distribution
device 400 and the recording medium device 600 without knowing the
content of the data being communicated. Communications between the key
distribution device 400 and the recording medium device 600, particularly
those concerning the calculated title key, are performed with the data
being encrypted using the common key generated in the mutual
authentication process by the key distribution device 400 and the
recording medium device 600. Given that the common key is common only to
the key distribution device 400 and the recording medium device 600, the
terminal device 500 is, of course, unable to decrypt and reference the
calculated title key data during relay. That is, the calculated title key
is protected during transportation.

[0225] The MAC reading unit 580 reads the MAC value from the recording
medium device 600 on which the content is recorded and outputs the value
to the first playback determination unit 582.

[0226] The UR reading unit 581 reads the UR pertaining to content playback
from the recording medium device 600 and outputs the UR to the title key
recalculation unit 546.

[0227] The first playback determination unit 582 uses the title key stored
in the title key storage unit 545 to calculate a MAC value for the
recording medium ID output by the recording medium device ID acquisition
unit 531, then determines whether or not the MAC value so calculated
matches that recorded on the recording medium device 600 as output by the
MAC reading unit 580. The first playback determination unit 582 grants
the content reading unit 586 permission to read the content when the MAC
values match, and does not grant such permission when the MAC values do
not match. That is, content playback is controlled so as to depend on the
determination results from the first playback determination unit 582.
When not granting permission to read the content, the first playback
determination unit 582 displays a notification to such effect for the
user on a television or similar output device via the content decryption
unit 590 and the content playback unit 591.

[0228] The signed data reading unit 585 reads the signed data 76 for the
content to be played back from the recording medium device 600 and
outputs the data to the second playback determination unit 587.

[0229] When permitted to read the content by the first playback
determination unit 582, the content reading unit 586 reads the content to
be played back from the recording medium device 600 and outputs the
content to the second playback determination unit 587 and to the content
decryption unit 590.

[0230] The second playback determination unit 587 verifies the signature
78 of the signed data 76 recorded on the recording medium device 600 and
output by the signed data reading unit 585 using the root public key
stored in the root public key storage unit 511 and the key distribution
device public key written in the key distribution device certificate 10
received during the mutual authentication with the key distribution
device 400. When the signature 78 is valid, the second playback
determination unit 587 also calculates hash values for the content
portions resulting from division of the content recorded on the recording
medium device 600 and output by the content reading unit 586, then
determines whether or not the hash values so calculated match the hash
values (reference signs 71 through 73) in the signed data 76. The second
playback determination unit 587 permits the content decryption unit 590
to decrypt the content when the hash values match, and does not do so
when the hash values do not match. That is, content playback is
controlled so as to depend not only on the determination results from the
first playback determination unit 582 but also from the determination
results from the second playback determination unit 587. When not
granting permission to decrypt the content, the second playback
determination unit 587 displays a notification to such effect for the
user on a television or similar output device via the content decryption
unit 590 and the content playback unit 591.

[0231] The content decryption unit 590 acquires plain-text content by
decrypting the content recorded on the recording medium device 600 and
output by the content reading unit 586 using the title key stored in the
title key storage unit 545, then outputs the plain-text content to the
content playback unit 591.

[0232] The content playback unit 591 plays back the plain-text content
output by the content decryption unit 590 on the television or similar
playback device.

[0233] (Process by Terminal Device 500)

[0234] First, the reception and writing process by the terminal device 500
is described.

[0235] FIG. 18 is a flowchart indicating the reception and writing process
by the terminal device 500.

[0236] The order of operations for the reception and writing process made
up of steps S510 through S549 is given as an example. No limitation is
intended regarding the order of the steps. For example, while step S530
is executed upon receipt of a writeout request operation, which includes
a designation of content to be written, from the user of the terminal
device 500, step S510 may be performed at any time provided that the
operations thereof are complete before step S530 begins.

[0237] As indicated, while manufacturing the terminal device 500, the
terminal device manufacturing apparatus stores the terminal device
private key and certificate 20 in the terminal device private key and
certificate storage unit 510 of the terminal device 500 and stores the
root public key in the root public key storage unit 511 (step S510).

[0238] The content acquisition unit 520 acquires the content distributed
by the content production device 100. Given circumstances, such as those
of AACS managed copy, in which content recorded in an AACS-supported
protected format on the BD is acquired and copied onto a memory card,
such as an SD card, in a different protected format, the content recorded
on the BD, being encrypted in the AACS-supported protected format, is
decrypted in order to obtain plain-text content.

[0241] The authentication result and authentication ID reception unit 523
receives the results of the authentication performed by the content
distribution authentication device 300 according to the writeout
authentication request data 40 transmitted during step S530, and
determines whether or not the received authentication result indicates
success (step S531).

[0242] When the authentication result indicates failure (FAIL in step
S531), the authentication result and authentication ID reception unit 523
notifies the user that the content cannot be written through a display on
a (non-diagrammed) display unit of the terminal device 500 (step S549).
The terminal device 500 then concludes the reception and writing process.

[0243] However, when the received authentication result indicates success
(SUCCESS in step S531), the authentication result and authentication ID
reception unit 523 additionally receives the authentication ID. The
writeout request transmission unit 532 generates writeout request data
50, made up of the authentication ID received by the authentication
result and authentication ID reception unit 523 and the recording medium
device ID acquired by the recording medium device ID acquisition unit 531
through the mutual authentication process performed by the mutual
authentication unit 530 with the recording medium device 600, and
transmits the writeout request data 50 so generated to the key
distribution device 400 (step S535).

[0244] The MAC, UR, and signed data reception unit 541 repeatedly
determines whether or not any data have been received from the key
distribution device 400 (step S536). Upon receipt of determination
results indicating that the writeout request is not granted
(Determination Results in step S536), the user is notified that the
content cannot be written through a display on the (non-diagrammed)
display unit of the terminal device 500 (step S549). The terminal device
500 then concludes the reception and writing process.

[0245] Conversely, upon receipt of the MAC value for the recording medium
device ID of the recording medium device 600 and the UR for the content
corresponding to the authentication ID in the writeout request data 50
transmitted during step S536 (MAC value in step S536), the MAC, UR, and
signed data reception unit 541 outputs the MAC value and the UR so
received to the MAC, UR, and signed data recording unit 542. The MAC, UR,
and signed data recording unit 542 records the MAC value and UR output by
the MAC, UR, and signed data reception unit 541 to the recording medium
device 600. Further, the title key acquisition unit 540 acquires the
calculated title key from the recording medium device 600 through the
encryption and decryption unit 533 (step S540).

[0246] The title key recalculation unit 546 calculates a hash value for
the UR output by the MAC, UR, and signed data reception unit 541,
calculates the original title key by applying the simple set of
reversible operations, such as XOR, to the calculated hash value and to
the calculated title key acquired by the title key acquisition unit 540,
and stores the original title key in the title key storage unit 545.
Further, the encryption unit 550 encrypts the plain-text content acquired
by the content acquisition unit 220 using the title key stored in the
title key storage unit 545 (step S541).

[0247] When the content encrypted by the encryption unit 550 has been
divided into a plurality of portions, the hash calculation and unsigned
data generation unit 560 calculates a hash value for each portion and
generates unsigned data 70 using the hash values so calculated as hash
data (reference signs 71 through 73). The unsigned data and content
transmission unit 561 also transmits the unsigned data 70 generated by
the hash calculation and unsigned data generation unit 560 to the key
distribution device 400.

[0248] The unsigned data and content transmission unit 561 also receives
position designation information from the key distribution device 400,
and extracts a content portion as designated by the position designation
information so received from the plain-text content acquired by the
content acquisition unit 520 for transmission to the key distribution
device 400 (step S542).

[0249] The MAC, UR, and signed data reception unit 541 repeatedly
determines whether or not any data have been received from the key
distribution device 400 (step S543). Upon receipt of determination
results indicating that the unsigned data 70 are illegitimate
(Determination Results in step S543), the user is notified that the
content cannot be written through a display on the (non-diagrammed)
display unit of the terminal device 500 (step S549). The terminal device
500 then concludes the reception and writing process.

[0251] Next, the playback process by the terminal device 500 is described.

[0252] FIG. 19 is a flowchart indicating the playback process by the
terminal device 500.

[0253] The playback process illustrated below begins when, for example, a
playback request operation, which includes a designation of content to be
played back, is received from the user of the terminal device 500.

[0254] The UR reading unit 581 of the terminal device 500 reads the UR of
the content to be played back from the recording medium device 600, on
which the content is recorded. The mutual authentication unit 530
performs mutual authentication with the recording medium device 600,
sharing a common key therewith. Also, the title key acquisition unit 540
acquires the calculated title key from the recording medium device 600
through the encryption and decryption unit 533 (step S550).

[0255] The title key recalculation unit 546 calculates a hash value for
the UR read by the UR reading unit 581, acquires the original title key
by applying the simple set of reversible operations, such as XOR, to the
calculated hash value and to the calculated title key acquired by the
title key acquisition unit 540, and stores the original title key in the
title key storage unit 545. The MAC reading unit 580 reads the MAC value
corresponding to the content being read from the recording medium device
600 (step S551).

[0256] The first playback determination unit 582 uses the title key stored
in the title key storage unit 545 to calculate a MAC value for the
recording medium device ID acquired by the recording medium device ID
acquisition unit 531, then determines whether or not the MAC value so
calculated matches that of the recording medium device ID read by the MAC
reading unit 580 (step S552).

[0257] When the MAC values do not match (NO in step S552), the first
playback determination unit 582 prevents content playback by not
permitting the content reading unit 586 to read the content. The first
playback determination unit 582 also notifies the user to the effect that
the content cannot be played back through a display on a television or
similar output device via the content decryption unit 590 and the content
playback unit 591 (step S580). The terminal device 500 then terminates
the playback process.

[0258] Conversely, when the first playback determination unit 582
determines that the two MAC values match (YES in step S552), the signed
data reading unit 585 reads the signed data 76 corresponding to the
content from the recording medium device 600 on which the content is
recorded. The content reading unit 586 reads the content to be played
back from the recording medium device 600 (step S555).

[0259] The second playback determination unit 587 verifies the signature
78 of the signed data 76 read during step S555 using the root public key
stored in the root public key storage unit 511 and the key distribution
device public key written in the key distribution device certificate 10
received during mutual authentication with the key distribution device
400. When the signature 78 is legitimate and the content read during step
S555 is divided into a plurality of portions, the second playback
determination unit 587 calculates hash values for each of the content
portions, then determines whether or not the hash values so calculated
match the hash values (reference signs 71 through 73) in the signed data
76 (step S556).

[0260] When the hash values do not match (NO in step S556), the second
playback determination unit 587 prevents content playback by not granting
the content decryption unit 590 the permission to decrypt the content.
The second playback determination unit 587 also notifies the user to the
effect that the content cannot be played back through a display on a
television or similar output device made via the content decryption unit
590 and the content playback unit 591 (step S580). The terminal device
500 then terminates the playback process. The second playback
determination unit 587 may also perform step S580 when the signature 78
is found to be illegitimate in step S556. The terminal device 500 then
terminates the playback process.

[0261] Conversely, when the second playback determination unit 587
determines that the hash values match (YES in step S556), the content
decryption unit 590 decrypts the content read during step S555 using the
original title key calculated during step S551. The content playback unit
591 plays back the content so decrypted by output to the television or
similar output device (step S560). The terminal device 500 then concludes
the playback device.

[0262] (Configuration of Recording Medium Device 600)

[0263] FIG. 20 is a block diagram illustrating the functional
configuration of the principal components of the recording medium device
600.

[0265] The recording medium device 600 includes a processor and a memory.
The functions of the mutual authentication unit 620 and the encryption
and decryption unit 640 are each realized by having the processor execute
a program stored in the memory.

[0266] The recording medium device private key and certificate storage
unit 610 is a memory area for storing a recording medium device private
key and paired certificate 30. In practice, the writing of the recording
medium device private key and certificate 30 to the recording medium
device private key and certificate storage unit 610 is realized by a
recording medium manufacturing apparatus writing the private key and
certificate 30 generated by the key issuance device 200 during
manufacture of the recording medium device 600. The details of the
writing method for writing the recording medium device private key and
certificate 30 are omitted.

[0267] The root public key storage unit 611 is a memory area for storing
the root public key. In practice, the writing of the root public key to
the root public key storage unit 611 is realized during manufacture of
the recording medium device 600 by the recording medium manufacturing
apparatus writing the root public key generated by the key issuance
device 200. The details of the writing process for the root public key
are omitted.

[0268] The mutual authentication unit 620 performs mutual authentication
with the key distribution device 400 and with the terminal device 500,
sharing a common key and exchanging certificates (the key distribution
device certificate 10, the terminal device certificate 20, and the
recording medium device certificate 30) therewith. The operations
involved in the mutual authentication are as described above (see FIG.
12).

[0269] The title key storage unit 630 is a memory area for storing the
calculated title key, and for security purposes, is not readable in a
normal file system. That is, the calculated title key stored in the title
key storage unit 630 is only readable by the terminal device 500 upon
successful authentication by the mutual authentication unit 620.

[0270] The encryption and decryption unit 640 uses the common key
generated during the mutual authentication process by the mutual
authentication unit 620 to encrypt the data at transmission time and
decrypt the data at reception time, and thus securely exchanges
communications data with the key distribution device 400 and with the
terminal device 500. Specifically, the encryption and decryption unit 640
receives, from the key distribution device 400, the calculated title key
encrypted using the common key shared with the key distribution device
400 and uses the common key to decrypt title key for storage in the title
key storage unit 630. Also, in response to a request from the terminal
device 500, the encryption and decryption unit 640 encrypts the
calculated title key stored in the title key storage unit 630 using the
common key shared with the terminal device 500, and transmits the results
thereto. Accordingly, the calculated title key is securely passed between
the recording device 600 and both of the terminal device 500 and between
the recording device 600 and the key distribution device 400.

[0271] The content storage unit 660 is a memory area for storing content.
The terminal device 500 performs content reading and writing in this
memory area.

[0272] The UR storage unit 670 is a memory area for storing the UR. The
terminal device 500 performs UR reading and writing in this memory area.

[0273] The MAC storage unit 680 is a memory area for storing the MAC value
of the recording medium device ID. The terminal device 500 performs MAC
value reading and writing in this memory area.

[0274] The signed data storage unit 690 is a memory area for storing the
signed data 76. The terminal device 500 performs signed data 76 reading
and writing there.

[0275] (Write Process by Recording Medium Device 600)

[0276] FIG. 21 is a flowchart indicating the write process by the
recording medium device 600.

[0277] The order of operations for the writing process made up of steps
S610 through S670 is given as an example, below. No limitation is
intended regarding the order of the steps. For example, provided that
step S610 is complete before step S620 begins, and that step S630 is
performed after step S620 is complete, steps S630 through S650 may be
performed in any order. Also, the order of steps S660 and S670 may be as
stated or reversed, provided that steps S660 and S670 are performed after
steps S630 through S650.

[0279] Given an access request from the key distribution device 400 or
from the terminal device 500, the mutual authentication unit 620 performs
mutual authentication with the requesting device to confirm that the
device is trustworthy and to simultaneously generate a common key
therewith. In subsequent communications, data are secured by encryption
and decryption with this common key (step S620). The mutual
authentication unit 620 determines whether or not the terminal device ID
of the terminal device 500 included in the terminal device certificate 20
acquired during the mutual authentication process is listed in a revoke
file. The revoke file is a separately transmitted and stored list of
revoked devices. In the affirmative case, the mutual authentication unit
620 deems the terminal device 500 to be illegitimate, cancels all
subsequent communication therewith, and concludes the writing process.

[0280] Once step S620 is complete, the encryption and decryption unit 640
receives the calculated title key from the key distribution device 400
for storage in the title key storage unit 630 (step S630).

[0281] The terminal device 500 also stores the UR in the UR storage unit
670 and the MAC value for the recording medium device ID in the MAC
storage unit 680 (steps S640 and S650).

[0282] The terminal device 500 also stores the content in the content
storage unit 660 and the signed data 76 in the signed data storage unit
690 (steps S660 and S670). The recording medium device 600 then concludes
the writing process.

[0283] Although the reading process performed by the recording medium
device 600 is not specifically illustrated, the process is performed upon
receipt of an access request (read request) from the terminal device 500.

[0284] That is, the calculated title key stored in the title key storage
unit 630 is read out by the terminal device 500 via the encryption and
decryption unit 640 during the mutual authentication process by the
mutual authentication unit 620. Also, the content stored in the content
storage unit 660, the UR stored in the UR storage unit 670, the MAC value
stored in the MAC storage unit 680, and the signed data 76 stored in the
signed data storage unit 690 are similarly read out by the terminal
device 500.

[0285] <Supplement>

(1) In the exemplary Embodiment, the recording medium device 600 is
described as an SD card or similar memory card. This is intended as an
example. For example, the recording medium device 600 may be an HDD (Hard
Disk Drive) or similar storage device incorporating a control LSI (Large
Scale Integration) in any device, such as a mobile phone, a proprietary
terminal for viewing eBooks, or another mobile device in which the memory
device is incorporated and that is not a removable memory card. (2) In
the exemplary Embodiment, data communication between the terminal device
500 and the key distribution device 400, between the terminal device 500
and the recording medium device 600, and between the key distribution
device 400 and the recording medium device 600 involves protection using
a common key shared during mutual authentication. However, this is
intended as an example. Rather than using the common key for data
protection, a secure communication technology such as HTTPS (Hypertext
Transfer Protocol over Secure Socket Layer) may be used. (3) In the
above-described exemplary Embodiment, the terminal device 500 performs
transmission. However, no limitation is intended thereby. Rather than
having the terminal device 500 perform transmission, the key distribution
device 400 or the recording medium device 600 may be instructed to
perform transmission by a terminal device other than the terminal device
500, and thus be configured to perform data transmission. (4) In the
exemplary Embodiment, the first playback determination unit 582 of the
terminal device 500 uses the MAC value for the recording medium device ID
of the recording medium device 600 to determine whether to perform or
prevent content playback. However, this is intended as an example. The
calculated title key may also be used, for example. Specifically, when
the calculated title key has been obtained by applying an XOR operation
to the title key and to the hash value of the UR, an additional XOR
operation may be applied to the calculated title key and the recording
medium device ID of the recording medium device 600 or to the hash value
thereof, and the result of the XOR operation may then be used.
Alternatively, the key issuance device 200 or the key distribution device
400 may simply sign the recording medium device ID of the recording
medium device 600, and the first playback determination unit 582 may then
verify the signature to determine whether to perform or prevent content
playback. (5) In the exemplary Embodiment, the signature unit 152 of the
content production device 100 applies a signature to the content ID in
order to prevent tampering therewith. However, the signature by the
signature unit 152 may also be accompanied or replaced with a signature
by the key issuance device 200. (6) In the exemplary Embodiment, the
terminal device 500 is a DVD or BD player, and the content produced by
the content production device 100 is distributed to the terminal device
500 via a recording medium such as a BD. However, the content produced by
the content production device 100 may also be modified for distribution
to the terminal device 500 over the Internet. Specifically, a variant of
the content distribution system 1000 described in the Embodiment may
further include a content distribution device. In this variant, the
terminal device 500 is not limited to a DVD or BD player but may also be
a personal computer capable of connecting to the Internet. The content
produced by the content production device 100 is then registered by the
content distribution device and distributed to the terminal device 500 by
a method such as streaming over the Internet or being downloaded from the
content distribution device. (7) As described in the exemplary
Embodiment, when, as shown in FIG. 9, the authentication of the writeout
authentication request data 40 from the terminal device 500 is successful
(YES in step S330), the content distribution authentication device 300
generates the authentication ID for transmission to the terminal device
500 (step S340), and transmits the authentication ID and paired UR to the
key distribution device 400 (step S350).

[0286] However, the authentication ID may be generated in advance rather
than during step S340, and such a pre-generated authentication ID may
then be transmitted in steps S340 and S350. Also, in variation (6)
described above, the content distribution authentication device 300 may
perform steps S340 and S350 every time the content is downloaded.

[0287] When this variation is employed, the timing of authentication ID
and UR reception in step S420 of the pre-distribution process performed
by the key distribution device 400 indicated in FIG. 14 may be modified
to match.

(8) In the exemplary Embodiment, the position designation information
generated by the position designation unit 460 of the key distribution
device 400 is information indicating the position and size of a content
portion subject to hash value comparison by the verification unit 462,
taken from the content that the terminal device 500 is attempting to
write onto the recording medium device 600.

[0288] However, the position designation information may also designate
the position and size of each of a plurality of such portions, as content
portions subject to hash value comparison. In other words, the content
portion may be made up of a plurality of portions of the content that the
terminal device 500 is attempting to write to the recording medium device
600.

[0289] Also, the position designation information is not limited to
indicating a portion of the content that the terminal device 500 is
attempting to write onto the recording medium device 600, and may
alternatively indicate the entirety of such content.

(9) In the exemplary Embodiment, when the MAC values do not match, the
first playback determination unit 582 of the terminal device 500 inhibits
content playback by not permitting the content reading unit 586 to read
the content. However, the first playback determination unit 582 may also
inhibit content playback by not permitting the content decryption unit
590 to decrypt the content, or by not permitting the content playback
unit 591 to decode or output the content to the output device.

[0290] Also, in the exemplary Embodiment, when the hash values do not
match, the second playback determination unit 587 of the terminal device
500 inhibits content playback by not permitting the content decryption
unit 590 to decrypt the content. However, the second playback
determination unit 587 may also inhibit content playback by not
permitting the content playback unit 591 to decode or output the content
to the output device.

(10) As described in the exemplary Embodiment, the title key storage unit
630 of the recording medium device 600 stores the calculated title key.
However, the raw, uncalculated title key for the key distribution device
400 generated by the title key generation unit 450 may also be
transmitted to the recording medium device 600, such that the recording
medium device 600 stores the raw title key (the key distribution device,
terminal device, and recording medium device pertaining to this variation
are hereinafter respectively termed the variant key distribution device,
the variant terminal device, and the variant recording medium device).

[0291] Specifically, as indicated in FIG. 25, the variant key distribution
device replaces step S460 of the process performed by the key
distribution device 200 and indicated in FIG. 15 with step S460a. That
is, the title key transmission unit of the variant key distribution
device transmits the title key generated by the title key generation unit
450 to the recording medium device 600 via the encryption and decryption
unit 455 (step S460a).

[0292] Also, as shown in FIG. 26, the variant terminal device replaces
steps S540 and S541 of the process performed by the terminal device 500
and indicated in FIG. 18 with steps S540a and S541a. In other words, the
MAC, UR, and signed data recording unit 542 of the variant terminal
device records the MAC value and UR output by the MAC, UR, and signed
data reception unit 541 to the recording medium device 600. Further, the
title key acquisition unit of the variant terminal device acquires the
title key from the recording medium device 600 via the encryption and
decryption unit 533 (step S540a) for storage in the title key storage
unit 545. Also, the encryption unit 550 encrypts the plain-text content
acquired by the content acquisition unit 220 using the title key stored
in the title key storage unit 545 (step S541a).

[0293] Also, as shown in FIG. 27, the variant terminal device replaces
steps S550 and S551 of the process performed by the terminal device 500
and indicated in FIG. 19 with steps S550a and S551a. That is, the title
key acquisition unit of the variant terminal device acquires the title
key from the recording medium device 600 via the encryption and
decryption unit 533 for storage in the title key storage unit 545 (step
S550a). Also, the MAC reading unit 580 reads the MAC value corresponding
to the content to be played back from the recording medium device 600
(step S551a).

[0294] Further, as shown in FIG. 28, the variant recording medium device
replaces step S630 of the process performed by the recording medium
device 600 and indicated in FIG. 21 with step S630a. That is, the
encryption and decryption unit 640 of the variant recording medium device
receives the title key from the key distribution device 400 for storage
in the title key storage unit 630 (step S630a).

(11) Each component described in the exemplary Embodiment may be realized
in whole or in part as an integrated circuit on a single chip or on
multiple chips, or may be realized as a computer program or in some other
manner.

[0295] Also, the components described in the exemplary Embodiment realize
the effects thereof in cooperation with the processor of the device in
which each respective component is included (i.e., the content production
device 100, the key issuance device 200, the content distribution
authentication device 300, the key distribution device 400, the terminal
device 500, and the recording medium device 600).

(12) A program for causing the processor to run the devices described in
the exemplary Embodiment (i.e., the content production device 100, the
key issuance device 200, the content distribution authentication device
300, the key distribution device 400, the terminal device 500, and the
recording medium device 600) (see FIGS. 3, 6, 9, 14, 15, 18, 19, and 21)
may be recorded on a recording medium or distributed through various
types of communication lines. The recording medium may be an IC card, a
hard disk, an optical disc, a floppy disc, ROM, flash memory, or similar.
The program so distributed is provided for use by storage in
processor-readable memory in the relevant device. The processor realizes
the functions of the device (i.e., the content production device 100, the
key issuance device 200, the content distribution authentication device
300, the key distribution device 400, the terminal device 500, and the
recording medium device 600), as described in the Embodiment, by having
the processor execute the relevant program. (13) Variations (1) through
(12), described above, may be applied to the entirety of or to a subset
of the devices making up the content distribution system 1000 pertaining
to the exemplary Embodiment. (14) A variant configuration for the content
recording control system, server device, and terminal device is described
below, along with the effects thereof, as a variant Embodiment of the
present disclosure. (a) As shown in FIG. 22, a terminal device 2500
pertaining to a non-limiting aspect of the present disclosure records
content onto a recording medium device 2600, a permission to record the
content onto the recording medium device 2600 being granted by a server
device 2400, the terminal device 2500 comprising: a generation unit 2510
generating a value calculated so as to represent subject content for
which a permission to record onto the recording medium device 2600 is
requested; an information transmission unit 2520 requesting the
permission from the server device 2400 to record the subject content onto
the recording medium device 2600 by transmitting information indicating
the value generated by the generation unit 2510 to the server device
2400; a signature reception unit 2530 receiving subject content signature
data from the server device 2400, the subject content signature data
being transmitted by the server device 2400 upon granting the permission
to record the subject content onto the recording medium device 2600; and
a recording unit 2540 recording the subject content onto the recording
medium device 2600 as one of plain-text data and encrypted data, as well
as the subject content signature data received by the signature reception
unit 2530.

[0296] The server device 2400, the terminal device 2500, and the recording
medium device 2600 correspond, for example, to the key distribution
device 400, the terminal device 500, and the recording medium device 600
of the exemplary Embodiment. Also, the generation unit 2510 corresponds
to the hash calculation and unsigned data generation unit 560 of the
exemplary Embodiment, while the information transmission unit 2520
corresponds to the unsigned data and content transmission unit 561 of the
exemplary Embodiment, for example. Further, for example, the signature
reception unit 2530 corresponds to the MAC, UR, and signed data reception
unit 541 of the Embodiment, while the recording unit 2540 corresponds to
the MAC, UR, and signed data recording unit 542 combined with the content
recording unit 551 of the exemplary Embodiment.

[0297] The terminal device 2500 records the subject content to the
recording medium device 2600 once the server device 2400 grants the
permission to record the content onto the recording medium device 2600.
Thus, the recording of content for which no permission to record onto the
recording medium device 2600 has been granted, such as illegitimately
duplicated content, is inhibited.

[0298] Also, the terminal device 2500 records the signed data transmitted
by the server device 2400 onto the recording medium device 2600, as well
as the content. Accordingly, a legitimate playback device is controlled
so as to not play back content having no signed data recorded therewith.
Thus, content hypothetically recorded onto the recording medium device by
a hacked terminal device 2500 without receiving the permission from the
server device 2400 is not permitted to be played back.

(b) Also, the generation unit optionally generates a hash value for the
subject content to serve as the value.

[0299] The terminal device transmits information indicating the hash value
of the subject content. Thus, the server device is able to specify the
subject content for which permission to record onto the recording medium
device is requested. This is based on the fact that different content
will normally result in a different hash value.

(c) Also, optionally, the generation unit generates the hash value for
each of a plurality of content portions making up the subject content,
and upon receipt of designation information designating one or more of
the content portions, the information transmission unit further transmits
each designated content portion to the server device as designated by the
designation information transmitted by the server device in order to
determine whether or not to grant the permission.

[0300] The terminal device transmits a portion of the subject content to
the server device as indicated in designation information received from
the server device. Accordingly, the server device determines whether or
not to grant the permission to record the subject content onto the
recording medium device by calculating a hash value from the portion of
the subject content, matching the calculated hash value with the hash
value for the subject content received from the terminal device, and
making the determination in accordance with the results.

(d) Optionally, the data recorded onto the recording medium device by the
recording unit result from encryption of the subject content using a
title key for the subject content.

[0301] The terminal device encrypts the subject content using the title
key thereof prior to recording onto the recording medium device. The
subject content is thus protected.

(e) As shown in FIG. 22, a server device 2400 pertaining to a
non-limiting aspect of the present disclosure determines whether or not
to grant to a terminal device 2500 a permission to record content onto a
recording medium device 2600, the server device 2400 comprising: an
information reception unit 2410 receiving information from the terminal
device 2500, the information indicating a value calculated so as to
represent subject content for which a permission to record onto the
recording medium device 2600 is requested; a determination unit 2420
determining whether or not to grant the permission to record the subject
content onto the recording medium device 2600 depending on the value
indicated in the information received by the information reception unit
2410; a signature unit 2430 generating subject content signature data
when the determination unit 2420 grants the permission to record; and a
signature transmission unit 2440 transmitting the subject content
signature data generated by the signature unit 2430 to the terminal
device 2500.

[0302] The information reception unit 2410 corresponds to the unsigned
data and content reception unit 461 of the exemplary Embodiment, while
the determination unit 2420 corresponds to the verification unit 462 of
the exemplary Embodiment, for example. Also, the signature unit 2430
corresponds to the signature unit 470 of the exemplary Embodiment, while
the signature transmission unit 2440 corresponds to the signed data
transmission unit 471 of the exemplary Embodiment, for example.

[0303] The server device 2400 determines whether or not to grant the
permission to record the subject content onto the recording medium device
2600 according to the information indicating the value calculated so as
to represent the subject content. Accordingly, the server device 2400 is
able to identify the subject content for which the permission to record
onto the recording medium device 2600 has been granted.

[0304] When permission to record the subject content onto the recording
medium device 2600 is granted, signed data for the subject content are
generated and transmitted to the terminal device 2500. Accordingly, a
legitimate playback device is controlled so as to not play back content
having no signed data recorded therewith. Thus, content hypothetically
recorded onto the recording medium device by a hacked terminal device
2500 without receiving the permission from the server device 2400 is not
permitted to be played back.

(f) Optionally, the information received by the information reception
unit indicates hash values each calculated for one of a plurality of
content portions making up the subject content, the server device further
comprises a designation unit generating designation information and
transmitting the designation information to the terminal device, the
designation information designating one or more of the content portions
to be transmitted by the terminal device upon receipt of the information
by the information reception unit, the information reception unit further
receives each designated content portion transmitted by the terminal
device in response to the designation information transmitted by the
designation unit, and the determination unit determines whether or not
matching occurs between: a designated hash value of the portion
designated in the designation information generated by the designation
unit, among the hash values in the information received by the
information reception unit, and a calculated hash value for the
designated content portion received by the information reception unit,
and grants the permission to record the subject content onto the
recording medium device upon matching

[0305] The designation unit corresponds to the position designation unit
460 of the exemplary Embodiment.

[0306] The server device calculates a hash value for the designated
portion of the subject content, and grants the permission to record the
subject content onto the recording medium device when matching occurs
between the calculated hash value and the hash value of the portion as
indicated in the information received from the terminal device.
Accordingly, an unwanted situation, such as recording content onto the
recording medium device by exchanging the content on the terminal device,
is prevented from occurring.

(g) Optionally, the designation unit generates position information
indicating a position within the subject content for at least one
randomly-selected content portion among the content portions making up
the subject content for use as the designation information.

[0307] The server device randomly selects the content portion.
Accordingly, an unwanted situation, such as recording content onto the
recording medium device by partially exchanging the content on the
terminal device, is prevented from occurring.

(h) Optionally, the server device further comprises an authentication
information reception unit receiving authentication information
transmitted to the server device and to the terminal device from an
authentication device upon authenticating the subject content as being
pre-registered, in response to a request from the terminal device; a
title key generation unit generating one of a plain-text title key and an
encrypted title key for the subject content upon receipt of
authentication information transmitted by the terminal device that
matches the authentication information received by the authentication
information reception unit, the key being used by the terminal device
when recording the subject content onto the recording medium device as
encrypted data; and a title key transmission unit transmitting one of the
title key generated by the title key generation unit and a calculated
title key generated by applying a predetermined operation to the title
key to the recording medium device for recording.

[0308] The authentication device corresponds, for example, to the content
distribution authentication device 300 of the exemplary Embodiment. Also,
for example, the authentication information reception unit corresponds to
the authentication ID and UR reception unit 421 of the exemplary
Embodiment, the title key generation unit corresponds to the title key
generation unit 450 of the exemplary Embodiment, and the title key
transmission unit corresponds to the title key transmission unit 454 of
the exemplary Embodiment.

[0309] When the subject content is authenticated by the authentication
device as being pre-registered, the server device generates the title key
and records the title key, or a calculated title key calculated
therefrom, onto the recording medium device. Accordingly, the terminal
device encrypts the subject content using the title key or the calculated
title key prior to recording onto the recording medium device. As such,
the server device prevents the recording of subject content onto a
recording medium where the title key or the calculated title key has not
been recorded.

(i) As shown in FIG. 22, a content recording control system pertaining to
a non-limiting aspect of the present disclosure comprises: a server
device 2400 determining whether or not to grant a permission to record
content onto a recording medium device 2600; and a terminal device 2500
recording the content onto the recording medium device 2600, the
permission to record the content onto the recording medium device 2600
being granted by the server device 2400, the terminal device 2500
comprising: a generation unit 2510 generating a value calculated so as to
represent subject content for which a permission to record onto the
recording medium device 2600 is requested; an information transmission
unit 2510 requesting the permission from the server device 2400 to record
the subject content onto the recording medium device 2600 by transmitting
information indicating the value generated by the generation unit 2510 to
the server device 2400; a signature reception unit 2530 receiving subject
content signature data from the server device 2400, the subject content
signature data being transmitted by the server device 2400 upon granting
the permission to record the subject content onto the recording medium
device 2600; and a recording unit 2540 recording the subject content onto
the recording medium device 2600 as one of plain-text data and encrypted
data, as well as the subject content signature data received by the
signature reception unit 2530, and the server device 2400 comprising: an
information reception unit 2410 receiving the information transmitted by
the terminal device 2500; a determination unit 2420 determining whether
or not to grant the permission to record the subject content onto the
recording medium device 2600 depending on the value indicated in the
information received by the information reception unit 2410; a signature
unit 2430 generating subject content signature data when the
determination unit 2420 grants the permission to record; and a signature
transmission unit 2440 transmitting the subject content signature data
generated by the signature unit 2430 to the terminal device 2500.

[0310] The terminal device 2500 of the content recording control system
2000 records the subject content onto the recording medium device 2600
once the server device 2400 grants the permission to record the content
onto the recording medium device 2600. Thus, the recording of content for
which no permission to record onto the recording medium device 2600 has
been granted, such as illegitimately duplicated content, is inhibited.

[0311] Also, the terminal device 2500 records the signed data transmitted
by the server device 2400, as well as the subject content, onto the
recording medium device 2600. Accordingly, a legitimate playback device
is controlled so as to not play back content having no signed data
recorded therewith. Thus, subject content hypothetically recorded onto
the recording medium device by a hacked terminal device 2500 without
receiving the permission from the server device 2400 is prevented from
being played back.

[0312] Also, the server device 2400 of the content recording control
system 2000 determines whether or not to permit recording of the subject
content onto the recording medium device 2600 according to the
information indicating a value calculated so as to represent the
composition of the subject content. Accordingly, the server device 2400
is able to identify the subject content for which the permission to
record onto the recording medium device 2600 has been granted.

(j) As shown in FIG. 23, a recording method pertaining to a non-limiting
aspect of the present disclosure is used by a terminal device recording
content onto a recording medium device, a permission to record the
content onto the recording medium device being granted by a server
device, the recording method comprising: a generation step S10 of
generating a value calculated so as to represent subject content for
which a permission to record onto the recording medium device is
requested; an information transmission step S11 of requesting the
permission from the server device to record the subject content onto the
recording medium device by transmitting information indicating the value
generated in the generation step S10 to the server device; a signature
reception step S12 of receiving subject content signature data from the
server device, the subject content signature data being transmitted by
the server device upon granting the permission to record the subject
content onto the recording medium device; and a recording step S13 of
recording the subject content onto the recording medium device as one of
plain-text data and encrypted data, as well as the subject content
signature data received in the signature reception step S12.

[0313] The processes of the generation step S10 and the information
transmission step S11 correspond to the generation of the unsigned data
and the subsequent transmission process indicated in step S542 of FIG.
18, for example. Also, the processes of the signature reception step S12
and the recording step S13 correspond to the reception determination
process of step S453 and the signed data and content recording process of
step S545, indicated in FIG. 18, for example.

[0314] According to this recording method, the terminal device records the
subject content onto the recording medium device once the server device
grants the permission to record the content onto the recording medium
device. Thus, the recording of content for which no permission to record
onto the recording medium device has been granted, such as illegitimately
duplicated content, is inhibited.

[0315] Also, according to this recording method, the terminal device
records the signed data transmitted by the server device, as well as the
subject content, onto the recording medium device. Accordingly, a
legitimate playback device is controlled so as to not play back content
having no signed data recorded therewith. Thus, subject content
hypothetically recorded onto the recording medium device by a hacked
terminal device without receiving permission from the server device is
prevented from being played back.

(k) As shown in FIG. 24, a recording permission control method pertaining
to a non-limiting aspect of the present disclosure is used by a server
device determining whether or not to grant to a terminal device a
permission to record content onto a recording medium device, the
recording permission control method comprising: an information reception
step S20 of receiving information from the terminal device, the
information indicating a value calculated so as to represent subject
content for which a permission to record onto the recording medium device
is requested; a determination step S21 of determining whether or not to
grant the permission to record the subject content onto the recording
medium device depending on the value indicated in the information
received in the information reception step; a signature step S22b of
generating subject content signature data when the permission to record
is granted in the determination step (YES in step S22a); and a signature
transmission step S23 of transmitting the subject content signature data
generated in the signature step S22b to the terminal device.

[0316] The process of the data reception step S20 corresponds to the
unsigned data reception process of step S465 indicated in FIG. 15, while
the process of the determination step S21 corresponds to the hash value
determination process of step S470 also indicated in FIG. 15, for
example. Further, the processes of the signature step S22b and of the
signature transmission step S23 correspond to the signed data generation
and transmission process of step S475 indicated in FIG. 15.

[0317] According to this recording permission control method, the server
device determines whether or not to permit the recording of the subject
content onto the recording medium device according to the information
indicating a value calculated so as to represent the subject content.
Accordingly, the server device is able to identify the subject content
for which the permission to record onto the recording medium device has
been granted.

[0318] When permission to record the subject content onto the recording
medium device is granted, signed data for the subject content are
generated and transmitted to the terminal device. As such, according to
this recording permission control method, a legitimate playback device is
controlled so as to not play back content having no signed data recorded
therewith. Thus, subject content hypothetically recorded onto the
recording medium device by a hacked terminal device without the
permission from the server device is prevented from being played back.

INDUSTRIAL APPLICABILITY

[0319] The terminal device of the present disclosure is applicable to
inhibiting the recording of illegitimately duplicated content and the
like onto a recording medium device.